Edgar Boda-Majer eboda
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nc minbashmaxfun 1337 -v <<<$(python solve.py file dump_flag.sh ) |
eboda
/ exploit.js
Last active
September 14, 2021 13:20
Exploit for Chakrazy challenge from PlaidCTF 2017 - ChakraCore exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //////////////////////////////////////////////////////////////////////////// | |
| // | |
| // The vulnerability was that the following line of code could change the type of the | |
| // underlying Array from JavascriptNativeIntArray to JavascriptArray: | |
| // | |
| // spreadableCheckedAndTrue = JavascriptOperators::IsConcatSpreadable(aItem) != FALSE; | |
| // | |
| // As can be seen in the provided .diff, the check for whether the type of the pDestArray has changed | |
| // was removed. If the aItem then is not a JavascriptArray, the following code path is taken: | |
| // else |
OlderNewer